package com.sxj.corejava.code13_JDBC;

import java.sql.*;
import java.util.ArrayList;
import java.util.List;

public class Test02_SQL注入 {

    public static void main(String[] args) {
//        List<User> users = selectByUsernameAndPassword("admin","111111");
//        List<User> users = selectByUsernameAndPassword("admin","123456");
//        List<User> users = selectByUsernameAndPassword("1' or '1' = '1","1' or '1' = '1");
        List<User> users = selectByUsernameAndPassword2("1' or '1' = '1", "1' or '1' = '1");
//        List<User> users = selectByUsernameAndPassword2("admin","111111");
        for (User user : users) {
            System.out.println(user);
        }
        if (users.isEmpty()) {
            System.out.println("错误:您输入的用户名或密码错误,请重新输入");
        } else {
            System.out.println("提示:恭喜您,登录成功");
        }
    }

    public static List<User> selectByUsernameAndPassword(String username, String password) {
        Connection conn = null;
        Statement st = null;
        ResultSet rs = null;
        List<User> users = new ArrayList<>();
        try {
            Class.forName("com.mysql.cj.jdbc.Driver");
            conn = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/jdbc?useUnicode=true&characterEncoding=utf-8", "root", "root");
            st = conn.createStatement();
            String sql = "select * from t_user where username = '" + username + "' and password = '" + password + "'";
            rs = st.executeQuery(sql);
            while (rs.next()) {
                User user = new User();
                user.setId(rs.getInt("id"));
                user.setUsername(rs.getString("username"));
                user.setPassword(rs.getString("password"));
                user.setPhone(rs.getString("phone"));
                user.setAddress(rs.getString("address"));
                users.add(user);
            }
        } catch (ClassNotFoundException e) {
            throw new RuntimeException(e);
        } catch (SQLException e) {
            throw new RuntimeException(e);
        }
        return users;
    }

    public static List<User> selectByUsernameAndPassword2(String username, String password) {
        Connection conn = null;
        PreparedStatement ps = null;
        ResultSet rs = null;
        List<User> users = new ArrayList<>();
        try {
            Class.forName("com.mysql.cj.jdbc.Driver");
            conn = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/jdbc?useUnicode=true&characterEncoding=utf-8", "root", "root");
            String sql = "select * from t_user where username = ? and password = ?";
            ps = conn.prepareStatement(sql);
            // 通过ps.setXxx(index,value)的方式向sql中传递参数
            // Xxx表示参数类型,如果不知道类型,可以使用Object表示
            // index:表示第几个参数,值从1开始
            // value:具体的参数值
            ps.setString(1, username);
            ps.setString(2, password);
            rs = ps.executeQuery();
            while (rs.next()) {
                User user = new User();
                user.setId(rs.getInt("id"));
                user.setUsername(rs.getString("username"));
                user.setPassword(rs.getString("password"));
                user.setPhone(rs.getString("phone"));
                user.setAddress(rs.getString("address"));
                users.add(user);
            }
        } catch (ClassNotFoundException e) {
            throw new RuntimeException(e);
        } catch (SQLException e) {
            throw new RuntimeException(e);
        }
        return users;
    }

}
